Nearly a decade ago, computer security experts found a new kind of malicious software that would eventually infect more than 1 million computers in the United States and Europe and cause tens of millions of dollars in damages.
On Monday, a U.S. federal court sentenced Russian national Nikita Kuzmin on charges of conspiracy, bank fraud and computer intrusion for creating the software, named Gozi, and selling it to hackers who used it to steal money from bank accounts.
Prosecutors said Kuzmin "committed this crime purely out of greed" and helped pioneer a new kind of cybercrime that has become more prevalent in recent years.
"In renting the malware to others, Kuzmin made it widely accessible to criminals, in other words, to criminals who do not or need not have sophisticated computer science skills like Kuzmin and his Gozi co-creators," U.S. Attorney Preet Bharara said in a letter to the court. "From this perspective, Kuzmin's crime is particularly significant."
Under that model, malicious coders have expanded their reach from their own schemes to those imagined by anyone who wants to commit a cybercrime, even if they do not know how.
Gozi came to a user's computer through a file, such as a PDF, that looked normal to them, but once opened set the malware loose on the system. Because it was difficult for anti-virus software to detect, people had no idea the software was running, leaving their activities, such as logging into their account at a bank's website, free for Gozi to collect and send back to the hackers.
Prosecutors said security experts identified 10,000 account records from more than 5,200 people, which included login information for accounts with hundreds of companies. The infected computers included hundreds at the U.S. space agency NASA.
Kuzmin said he did not partake in stealing bank account information himself. He made money by renting use of Gozi to others and by collecting a portion of whatever they later stole with it. According to court documents, Kuzmin estimated he made at least $250,000.
The court said Kuzmin's punishment is the 37 months he has already spent in prison, as well as paying $6.9 million that authorities have identified as the losses incurred by two banks in the U.S. and one in Europe. Kuzmin earned a lighter sentence after providing "substantial assistance" in the investigation that also led to the conviction of Latvian national Deniss Calovskis and the arrest of Romanian Mihai Ionut Paunescu, who is awaiting extradition to the U.S.
But prosecutors say the scale of the crime is far bigger than the losses identified so far.
"Unlike most crimes, Kuzmin's crime -- the creation and distribution of harmful malware -- cannot be stopped simply by capturing the perpetrator, as the government has done here. Because Kuzmin sold the Gozi source code to others, Gozi can be used by others, and it is in fact still in wide use by criminals today," Bharara told the court.
Prosecutors noted Kuzmin's computer science education and legitimate business projects in slamming his crimes as greedy.
"Kuzmin used his talent and skills to create malware with the single purpose of stealing other people's money, and when he succeeding in doing that, he spent lavish sums on luxury sports cars, and extravagant travel and entertainment in Europe and Russia."